Overview

overview

10

Static

static

10

dec50393eb...f3.exe

windows7-x64

10

dec50393eb...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe

  • Size

    968KB

  • MD5

    c82a3da38e0debb9a378f1dc3777c33e

  • SHA1

    aa6c7428f186d9498ca705b9c0d58736757a632e

  • SHA256

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

  • SHA512

    628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1

  • SSDEEP

    24576:FmtpMM4Qevjz8fSEhQKQWxUg9RzZtNMiTRqfLj:EpviIOYxUQRzZtNyj

Score
10/10
asyncratquasarstormkittyvenomratwindows securityevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

C2

37.0.14.203:7812

Mutex

VNM_MUTEX_2r4e6JnVsMyKl6Aod6

Attributes
  • encryption_key

    7m3r0pz1Q0GDX0J3KjKp

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Updated

  • subdirectory

    Win32

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Async RAT payload 1 IoCs
    rat
  • Detects Windows executables referencing non-Windows User-Agents 4 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 1 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 4 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 4 IoCs
  • Detects executables referencing Discord tokens regular expressions 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables using Telegram Chat Bot 1 IoCs
  • Detects executables with interest in wireless interface using netsh 1 IoCs
  • Detects file containing reversed ASEP Autorun registry keys 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe
    "C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Loads dropped DLL
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Updated" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2736
    • C:\Users\Admin\AppData\Roaming\Win32\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Win32\Windows Security.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Updated" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Win32\Windows Security.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zNr1WkQwCf4U.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:3040
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:2036
          • C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe
            "C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Cab3F44.tmp
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar3F75.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zNr1WkQwCf4U.bat
        Filesize

        261B

        MD5

        59f9882725a27b767dcebb2d3beb6992

        SHA1

        69f1f73410403c60d293637b68e0a2bdb02bd245

        SHA256

        718358cf36d4f33e0c31c107210bce9c7942a0501a88606e910acf2232385120

        SHA512

        03ff4976968566f63bc88fc93b8daf7cf60e99a44c4703eadd3dff0cc2c3dacb72aa4a8a0a20d91f0f3377cb1b8d75a1670b8fee3d3b849fb0936f79a1aafc56

        Download Submit

      • \Users\Admin\AppData\Roaming\Win32\Windows Security.exe
        Filesize

        968KB

        MD5

        c82a3da38e0debb9a378f1dc3777c33e

        SHA1

        aa6c7428f186d9498ca705b9c0d58736757a632e

        SHA256

        dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

        SHA512

        628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1

        Download Submit

      • memory/2364-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2364-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2364-1-0x00000000003C0000-0x000000000044C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2364-68-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2364-69-0x0000000074A00000-0x00000000750EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2364-79-0x0000000074A00000-0x00000000750EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2624-11-0x0000000074A00000-0x00000000750EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2624-12-0x0000000074A00000-0x00000000750EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2624-70-0x0000000074A00000-0x00000000750EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2624-10-0x0000000000E70000-0x0000000000EFC000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2624-81-0x0000000074A00000-0x00000000750EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3028-82-0x0000000000F40000-0x0000000000FCC000-memory.dmp

        Filesize

        560KB

        Download